diff --git a/pkg/kubelet/BUILD b/pkg/kubelet/BUILD index d1c0b61beed..bbd347c72d3 100644 --- a/pkg/kubelet/BUILD +++ b/pkg/kubelet/BUILD @@ -14,6 +14,8 @@ go_library( "kubelet.go", "kubelet_getters.go", "kubelet_network.go", + "kubelet_network_linux.go", + "kubelet_network_others.go", "kubelet_node_status.go", "kubelet_pods.go", "kubelet_resources.go", diff --git a/pkg/kubelet/kubelet_network.go b/pkg/kubelet/kubelet_network.go index a07ece7bb5c..0528d2c1e57 100644 --- a/pkg/kubelet/kubelet_network.go +++ b/pkg/kubelet/kubelet_network.go @@ -77,91 +77,6 @@ func (kl *Kubelet) updatePodCIDR(cidr string) error { return nil } -// syncNetworkUtil ensures the network utility are present on host. -// Network util includes: -// 1. In nat table, KUBE-MARK-DROP rule to mark connections for dropping -// Marked connection will be drop on INPUT/OUTPUT Chain in filter table -// 2. In nat table, KUBE-MARK-MASQ rule to mark connections for SNAT -// Marked connection will get SNAT on POSTROUTING Chain in nat table -func (kl *Kubelet) syncNetworkUtil() { - if kl.iptablesMasqueradeBit < 0 || kl.iptablesMasqueradeBit > 31 { - glog.Errorf("invalid iptables-masquerade-bit %v not in [0, 31]", kl.iptablesMasqueradeBit) - return - } - - if kl.iptablesDropBit < 0 || kl.iptablesDropBit > 31 { - glog.Errorf("invalid iptables-drop-bit %v not in [0, 31]", kl.iptablesDropBit) - return - } - - if kl.iptablesDropBit == kl.iptablesMasqueradeBit { - glog.Errorf("iptables-masquerade-bit %v and iptables-drop-bit %v must be different", kl.iptablesMasqueradeBit, kl.iptablesDropBit) - return - } - - // Setup KUBE-MARK-DROP rules - dropMark := getIPTablesMark(kl.iptablesDropBit) - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkDropChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkDropChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkDropChain, "-j", "MARK", "--set-xmark", dropMark); err != nil { - glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkDropChain, err) - return - } - if _, err := kl.iptClient.EnsureChain(utiliptables.TableFilter, KubeFirewallChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableFilter, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain, - "-m", "comment", "--comment", "kubernetes firewall for dropping marked packets", - "-m", "mark", "--mark", dropMark, - "-j", "DROP"); err != nil { - glog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainInput, "-j", string(KubeFirewallChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainInput, KubeFirewallChain, err) - return - } - - // Setup KUBE-MARK-MASQ rules - masqueradeMark := getIPTablesMark(kl.iptablesMasqueradeBit) - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkMasqChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkMasqChain, err) - return - } - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubePostroutingChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubePostroutingChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkMasqChain, "-j", "MARK", "--set-xmark", masqueradeMark); err != nil { - glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkMasqChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, utiliptables.ChainPostrouting, - "-m", "comment", "--comment", "kubernetes postrouting rules", "-j", string(KubePostroutingChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, KubePostroutingChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubePostroutingChain, - "-m", "comment", "--comment", "kubernetes service traffic requiring SNAT", - "-m", "mark", "--mark", masqueradeMark, "-j", "MASQUERADE"); err != nil { - glog.Errorf("Failed to ensure SNAT rule for packets marked by %v in %v chain %v: %v", KubeMarkMasqChain, utiliptables.TableNAT, KubePostroutingChain, err) - return - } -} - -// getIPTablesMark returns the fwmark given the bit -func getIPTablesMark(bit int) string { - value := 1 << uint(bit) - return fmt.Sprintf("%#08x/%#08x", value, value) -} - // GetPodDNS returns DNS settings for the pod. // This function is defined in kubecontainer.RuntimeHelper interface so we // have to implement it. diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go new file mode 100644 index 00000000000..002b226b190 --- /dev/null +++ b/pkg/kubelet/kubelet_network_linux.go @@ -0,0 +1,111 @@ +// +build linux + +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubelet + +import ( + "fmt" + + "github.com/golang/glog" + utiliptables "k8s.io/kubernetes/pkg/util/iptables" +) + +// syncNetworkUtil ensures the network utility are present on host. +// Network util includes: +// 1. In nat table, KUBE-MARK-DROP rule to mark connections for dropping +// Marked connection will be drop on INPUT/OUTPUT Chain in filter table +// 2. In nat table, KUBE-MARK-MASQ rule to mark connections for SNAT +// Marked connection will get SNAT on POSTROUTING Chain in nat table +func (kl *Kubelet) syncNetworkUtil() { + if kl.iptablesMasqueradeBit < 0 || kl.iptablesMasqueradeBit > 31 { + glog.Errorf("invalid iptables-masquerade-bit %v not in [0, 31]", kl.iptablesMasqueradeBit) + return + } + + if kl.iptablesDropBit < 0 || kl.iptablesDropBit > 31 { + glog.Errorf("invalid iptables-drop-bit %v not in [0, 31]", kl.iptablesDropBit) + return + } + + if kl.iptablesDropBit == kl.iptablesMasqueradeBit { + glog.Errorf("iptables-masquerade-bit %v and iptables-drop-bit %v must be different", kl.iptablesMasqueradeBit, kl.iptablesDropBit) + return + } + + // Setup KUBE-MARK-DROP rules + dropMark := getIPTablesMark(kl.iptablesDropBit) + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkDropChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkDropChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkDropChain, "-j", "MARK", "--set-xmark", dropMark); err != nil { + glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkDropChain, err) + return + } + if _, err := kl.iptClient.EnsureChain(utiliptables.TableFilter, KubeFirewallChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableFilter, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain, + "-m", "comment", "--comment", "kubernetes firewall for dropping marked packets", + "-m", "mark", "--mark", dropMark, + "-j", "DROP"); err != nil { + glog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainInput, "-j", string(KubeFirewallChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainInput, KubeFirewallChain, err) + return + } + + // Setup KUBE-MARK-MASQ rules + masqueradeMark := getIPTablesMark(kl.iptablesMasqueradeBit) + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkMasqChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkMasqChain, err) + return + } + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubePostroutingChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubePostroutingChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkMasqChain, "-j", "MARK", "--set-xmark", masqueradeMark); err != nil { + glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkMasqChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, utiliptables.ChainPostrouting, + "-m", "comment", "--comment", "kubernetes postrouting rules", "-j", string(KubePostroutingChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, KubePostroutingChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubePostroutingChain, + "-m", "comment", "--comment", "kubernetes service traffic requiring SNAT", + "-m", "mark", "--mark", masqueradeMark, "-j", "MASQUERADE"); err != nil { + glog.Errorf("Failed to ensure SNAT rule for packets marked by %v in %v chain %v: %v", KubeMarkMasqChain, utiliptables.TableNAT, KubePostroutingChain, err) + return + } +} + +// getIPTablesMark returns the fwmark given the bit +func getIPTablesMark(bit int) string { + value := 1 << uint(bit) + return fmt.Sprintf("%#08x/%#08x", value, value) +} diff --git a/pkg/kubelet/kubelet_network_others.go b/pkg/kubelet/kubelet_network_others.go new file mode 100644 index 00000000000..53267bfc5f6 --- /dev/null +++ b/pkg/kubelet/kubelet_network_others.go @@ -0,0 +1,22 @@ +// +build !linux + +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubelet + +// Do nothing. +func (kl *Kubelet) syncNetworkUtil() {} diff --git a/pkg/kubelet/kubelet_network_test.go b/pkg/kubelet/kubelet_network_test.go index 7e611766c42..2dd0a5ffcf3 100644 --- a/pkg/kubelet/kubelet_network_test.go +++ b/pkg/kubelet/kubelet_network_test.go @@ -1,3 +1,5 @@ +// +build linux + /* Copyright 2016 The Kubernetes Authors.